IBM researchers in Zurich, Switzerland, have developed novel worm-squashing software the company says it wants to turn into a product to help guard against computer-network attacks such as those that slowed Internet traffic earlier this month . . . The system uses a unique approach to detecting malicious software by looking at traffic flowing to Internet addresses that aren’t assigned to specific computers, trying to isolate computers on a network that attempt to infect others
IBM Squashes Worms
Submitted by ajam 2003-09-01 Bugs & Viruses 20 Comments
Good for IBM… they’re always coming out with really useful products. Just the other day I checked out their voice synthesiser, and the realism blew me away. great job.
if we can’t count on MS to fix their own prblems I guess some will have to.
I know MS has had the patch out for a month now, but after having quite a few people come into our IT office and say that their computer STOPPED working after they patched I begin to wonder how effective it is.
Where I work, we setup a “black hole” router that injects specific IP networks into our OSPF routing domain. These routes are the latest published Bogon routes, see: http://www.cymru.com/Bogons/index.html. Part of the advertisements also advertise larger, less-specific RFC1918 address space. So, if a system attemps random scanning of unassigned public, or, private address space, it gets directed to this router. For example, if you try to scan 10.18.12.0/24 and it really doesn’t exist, this router is advertising 10.0.0.0/8, the next best thing. So packets for 10.18.12.3/32 would go to this router. This works for our entire global network because all of our sites participate in the same OSPF routing domain. On the last leg to the sinkhole router, we have a Snort IDS system inspecting all traffic. Also, we log all traffic that the router receives. It turns out that this is a great early warning system for worms as well because most all traffic that this router receieves is automatically suspect.
And very easily, as most admins will only use the bogon list instead of creating a few of their own, so …
The software required to effectively stop virii and worms on windows would take 99% of resources. ha!
Add-on software is not a substitute to a secure operating system. Of course Microsoft would have you believe otherwise…
Nice post ryan, good to see something informative here for a changes. One thing I’m confused about though.
This certainly helps to identify problems but in the case of a worm by the time you find out something is wrong, the network is already corrupted. All the IDS is going to do is tell you where it came from and what is doing right?
Virii is not a word.
It would be an even better solution if it looked at the X-Mailer line of emails and if it said “Microsoft Outlook” or “Microsoft Outlook Express”, instant blacklist.
It’s sad that people take these kinds of worm infections to be a basic normal part of everyday internet life, when in reality the real culprit is Microsoft’s unwavering belief that absolutely every piece of software they produce has to be able to execute scripts. These worms never affect Eudora, Mozilla Mail, Apple Mail, Kmail, or Evolution…can’t the public put two and two together YET?
Virii is plural for virus, it’s latin and thus a word.
I’m curious. Are home-grown routers the only ones that impliment such?
what would definitely help the health of the internet would be egress filtering of src ip addresses at isp level. Why an isp lets traffic out with a spoofed netblock is beyond me!
viri is latin
IBM is continuing to develop useful solutions vs. the crap that is coming out of Microsofts “Research Facility”. I am all into research, but if a company is going to fund a project, I would (as a CEO) would like to actually see a practical application for it. If money is simply being poured down the drain because of some “coolness” factor then I really question some businesses priorities.
If these people WANT to expand into non-core related areas then by all means, become a university fellow and let the tax payer cough up the money.
Despite frequent claims to the contrary, the only correct English plural of the word used in any of these senses is viruses, not virii. The “ii” is used to denote plurality in Latin words ending in “ius”, not “us”.
<quote> . The system uses a unique approach to detecting malicious software by looking at traffic flowing to Internet addresses that aren’t assigned to specific computers, trying to isolate computers on a network that attempt to infect others </quote>
Isn’t that a just a version of a honeypot?
This is not going to be easy, it will require a lot of datamining to be correctly implemented.
LEMMA you were so wrong!!!! HAHAHHAHA
How can you keep on living after such a STUPID mistake???!!!
Yes, the bogon router/black hole router only gets hit when people misconfigure something, such as systems management tools walking large non-existant networks, nmap’ing of larger than needed (often erraneous) blocks of networks or when there is a genuine worm outbreak. Full IDS coverage is hard to achieve, especially with a few dozen sites around the world. This gives you a chance to see internal traffic related to the worm, close to the outbreak of the worm even for sites for which there is not full IDS coverage. For recent worms, it was effective because their internal propogation mechanisms weren’t very fast and their scanning technique quickly led them out of their local subnet to go looking at random networks in their same prefix. SQL Slammer took seconds to get most networks into a state of chaos and this would do almost nothing for you for something like SQL Slammer which was based on UDP and the entire exploit and propogation code was contained in a single UDP packet.
Someone asked if “homebrew” routers are the only routers capable of this…Certainly not. All we did was set up a bunch of static routes to these bogus networks and redistribute (inject) them into OSPF. This could have been any vendor’s router. We basically made the router lie about what it had reachability to.
If anything, this also provides you with a nice sanity check for existing IDS systems when it comes to scanning and worm-like activity because you don’t have to contend very much with false positives. Anything received by the router/IDS pair is suspicious and can get more attention. The drawbacks to such a solution are understanding the limitations and what it can buy you in terms of IDS and making sure you keep the bogon route list up to date. If ARIN, APNIC or RIPE suddenly dish out new blocks that haven’t been used up until now (it happens a few times a year) you could be misrouting that traffic.
Can SNORT be used to flag worm or virus traffic?
And why does none of the antivirus software flag spyware???